Boycott Sony!

If you've recently purchased a Sony/BMG compact disk and played it on your computer, you may have troublesome spyware installed on your PC. In addition, you may also be vulnerable to viruses and other hacker attacks as a result of Sony's controversial copy-protection software called XCP, which installs hidden files deep in PC users' Windows operating system. The malicious code on music CDs was discovered two weeks ago by Mark Russinovich at Winternals Software LLC. At least 50 releases are affected, including Trey Anastasio's “Shine”, Neil Diamond's “12 Songs”, Van Zant’s “Get Right With The Man”, and Celine Dion's "On Ne Change Pas". A complete list of titles and artists can be found here.

Among other things, the software tracks how many times the CD has been played and if any copies of it have been made, and secretly reports this information along with the user’s IP address back to Sony. It does this by installing what is called a “rootkit” onto your computer, which intercepts the principal system services that all programs and Windows itself rely on. Moreover, the rootkit runs in a “stealth” mode that makes it extremely difficult to detect and remove. Since the operating system is compromised, it’s easy for hackers to exploit; already a number of viruses taking advantage of this “back door” created by XCP have been unleashed on unsuspecting users.

Sony has provided a FAQ about the XCP technology, and has recalled the affected disks due to a firestorm of criticism from consumers and computer security experts, including Microsoft. They are also offering exchanges to anyone who bought any of the approximately 2.1 million disks that have been sold with the software, a move expected to cost millions of dollars. Estimates are that up to 500,000 PCs may be infected, and some lawsuits have already been filed.

Sony claims that “we deeply regret any inconvenience this may cause our customers, and we are committed to making the situation right”. While that sounds like a good PR response, the facts sadly reveal a company operating under the assumption that it's customers are criminals. Sony BMG released the disks containing XCP months ago, keeping it secret. Only now, two weeks after the code was discovered and complaints began to arise, has the company finally admitted responsibility. More significantly, Sony has only agreed to “temporarily” stop making CD’s containing XCP. Disregarding the damage already done, even if they completely pull the plug on this particular brand of offensive malware, they have no intention of becoming more benevolent in the future. Waiting in the wings is Sunncomm’s Mediamax, a digital-rights management tool that is less intrusive yet nevertheless accomplishes the same goal of restricting the ability of consumers to listen to music they have purchased in the way that they choose. Indeed, while acknowledging problems with XCP, Sony BMG is unrepentant, saying: "We stand by content-protection technology as an important tool to protect our intellectual property rights and those of our artists".

Much has been made of the recording industry's heavy-handed attempts to eliminate file sharing. Their tactics include subpoenaing ISP's to turn over the names of their customers, filing thousands of harassing lawsuits against individual alleged infringers (including young children), shutting down peer-to-peer services like Grokster, a massive PR campaign intended to make the public equate file sharing with "stealing", and now this. Let me see if I've got it straight: allowing consumers to swap music illegally is bad, but making it possible for hackers to illegally hijack your computer is just another average day in the record business.

This is, quite simply, bullshit. I do not condone piracy, but no company that sells any product has the right to take over my computer without my knowledge or permission. We are at a critical stage in the entire copy-protection controversy, and what happens now will set an important precedent for years to come. There is one way to send a message to the record companies and the RIAA that this sort of arrogant behavior will not be tolerated: boycott Sony. Not just CD’s, but all Sony products. If they have such little respect for their customers, they must be shown that they need those customers in order to survive.

More information: PC-World Magazine, Rolling Stone, The Register (UK), Wired Magazine, Information Week